SAP Enterprise Application Software
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any SAP product.
Products by SAP Sorted by Most Security Vulnerabilities since 2018
Known Exploited SAP Vulnerabilities
The following SAP vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
Title | Description | Added |
---|---|---|
SAP Commerce Cloud Deserialization of Untrusted Data Vulnerability |
SAP Commerce Cloud (formerly known as Hybris) contains a deserialization of untrusted data vulnerability within the mediaconversion and virtualjdbc extension that allows for code injection. CVE-2019-0344 Exploit Probability: 28.4% |
September 30, 2024 |
SAP Multiple Products HTTP Request Smuggling Vulnerability |
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server and SAP Web Dispatcher allow HTTP request smuggling. An unauthenticated attacker can prepend a victim's request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary Web caches. CVE-2022-22536 Exploit Probability: 95.7% |
August 18, 2022 |
SAP NetWeaver Unrestricted File Upload vulnerability |
SAP NetWeaver contains a vulnerability that allows unrestricted file upload. CVE-2021-38163 Exploit Probability: 92.2% |
June 9, 2022 |
SAP NetWeaver SQL Injection Vulnerability |
SQL injection vulnerability in the UDDI server in SAP NetWeaver J2EE Engine 7.40 allows remote attackers to execute arbitrary SQL commands via unspecified vectors. CVE-2016-2386 Exploit Probability: 55.4% |
June 9, 2022 |
SAP NetWeaver Information Disclorsure Vulnerability |
The Universal Worklist Configuration in SAP NetWeaver AS JAVA 7.4 allows remote attackers to obtain sensitive user information via a crafted HTTP request. CVE-2016-2388 Exploit Probability: 0.9% |
June 9, 2022 |
SAP NetWeaver AS JAVA CRM Remote Code Execution Vulnerability |
SAP CRM, 7.01, 7.02,7.30, 7.31, 7.33, 7.54, allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing "traverse to parent directory" are passed through to the file APIs. CVE-2018-2380 Exploit Probability: 6.2% |
November 3, 2021 |
SAP NetWeaver AS JAVA Remote Code Execution Vulnerability |
The Invoker Servlet on SAP NetWeaver Application Server Java platforms, possibly before 7.3, does not require authentication, which allows remote attackers to execute arbitrary code via an HTTP or HTTPS request. CVE-2010-5326 Exploit Probability: 44.5% |
November 3, 2021 |
SAP NetWeaver AS JAVA XXE Vulnerability |
BC-BMT-BPM-DSK in SAP NetWeaver AS JAVA 7.5 allows remote authenticated users to conduct XML External Entity (XXE) attacks via the sap.com~tc~bpem~him~uwlconn~provider~web/bpemuwlconn URI, aka SAP Security Note 2296909. CVE-2016-9563 Exploit Probability: 84.2% |
November 3, 2021 |
SAP Netweaver JAVA remote unauthenticated access vulnerability |
SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system. CVE-2020-6287 Exploit Probability: 97.4% |
November 3, 2021 |
SAP Solution Manager Missing Authentication Check Complete Compromise of SMD Agents vulnerability |
SAP Solution Manager (User Experience Monitoring), version- 7.2, due to Missing Authentication Check does not perform any authentication for a service resulting in complete compromise of all SMDAgents connected to the Solution Manager. CVE-2020-6207 Exploit Probability: 97.3% |
November 3, 2021 |
SAP NetWeaver AS Java 7.1 - 7.5 Directory Traversal Vulnerability |
Directory traversal vulnerability in SAP NetWeaver AS Java 7.1 through 7.5 allows remote attackers to read arbitrary files via a ..\ (dot dot backslash) in the fileName parameter to CrashFileDownloadServlet, aka SAP Security Note 2234971. CVE-2016-3976 Exploit Probability: 96.9% |
November 3, 2021 |
Of the known exploited vulnerabilities above, 5 are in the top 1%, or the 99th percentile of the EPSS exploit probability rankings. 4 known exploited SAP vulnerabilities are in the top 5% (95th percentile or greater) of the EPSS exploit probability rankings.
By the Year
In 2025 there have been 0 vulnerabilities in SAP. Last year, in 2024 SAP had 76 security vulnerabilities published. Right now, SAP is on track to have less security vulnerabilities in 2025 than it did last year.
Year | Vulnerabilities | Average Score |
---|---|---|
2025 | 0 | 0.00 |
2024 | 76 | 5.91 |
2023 | 165 | 6.69 |
2022 | 187 | 6.70 |
2021 | 204 | 6.73 |
2020 | 207 | 6.24 |
2019 | 123 | 6.67 |
2018 | 127 | 6.93 |
It may take a day or so for new SAP vulnerabilities to show up in the stats or in the list of recent security vulnerabilties. Additionally vulnerabilities may be tagged under a different product or component name.
Recent SAP Security Vulnerabilities
SAP BusinessObjects BI Platform Information Disclosure Vulnerability
CVE-2024-32732
- December 10, 2024
Under certain conditions SAP BusinessObjects Business Intelligence platform allows an attacker to access information which would otherwise be restricted.This has low impact on Confidentiality with no impact on Integrity and Availability of the application.
Exposure of Sensitive System Information to an Unauthorized Control Sphere
SAP Commerce Cloud Assisted Service Module Information Disclosure Vulnerability
CVE-2024-47577
- December 10, 2024
Webservice API endpoints for Assisted Service Module within SAP Commerce Cloud has information disclosure vulnerability. When an authorized agent searches for customer to manage their accounts, the request url includes customer data and it is recorded in server logs. If an attacker impersonating as authorized admin visits such server logs, then they get access to the customer data. The amount of leaked confidential data however is extremely limited, and the attacker has no control over what data is leaked.
Cleartext Transmission of Sensitive Information
SAP NetWeaver ABAP Privilege Escalation Vulnerability
CVE-2024-47585
- December 10, 2024
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks, resulting in privilege escalation. While authorizations for import and export are distinguished, a single authorization is applied for both, which may contribute to these risks. On successful exploitation, this can result in potential security concerns. However, it has no impact on the integrity and availability of the application and may have only a low impact on data confidentiality.
AuthZ
SAP NetWeaver Administrator SSRF Vulnerability
CVE-2024-54197
- December 10, 2024
SAP NetWeaver Administrator(System Overview) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in Server-Side Request Forgery (SSRF) which could have a low impact on integrity and confidentiality of data. It has no impact on availability of the application.
SSRF
SAP NetWeaver AS ABAP RFC Request Credential Exposure Vulnerability
CVE-2024-54198
- December 10, 2024
In certain conditions, SAP NetWeaver Application Server ABAP allows an authenticated attacker to craft a Remote Function Call (RFC) request to restricted destinations, which can be used to expose credentials for a remote service. These credentials can then be further exploited to completely compromise the remote service, potentially resulting in a significant impact on the confidentiality, integrity, and availability of the application.
Improper Control of Dynamically-Identified Variables
SAP NetWeaver AS Java (System Landscape Directory) Authorization Bypass Vulnerability
CVE-2024-42372
- November 12, 2024
Due to missing authorization check in SAP NetWeaver AS Java (System Landscape Directory) an unauthorized user can read and modify some restricted global SLD configurations causing low impact on confidentiality and integrity of the application.
AuthZ
SAP NetWeaver ABAP Kernel Null Pointer Dereference Denial of Service Vulnerability
CVE-2024-47586
- November 12, 2024
SAP NetWeaver Application Server for ABAP and ABAP Platform allows an unauthenticated attacker to send a maliciously crafted http request which could cause a null pointer dereference in the kernel. This dereference will result in the system crashing and rebooting, causing the system to be temporarily unavailable. There is no impact on Confidentiality or Integrity.
NULL Pointer Dereference
SAP NetWeaver Java Software Update Manager 1.1 Credential Exposure Vulnerability
CVE-2024-47588
- November 12, 2024
In SAP NetWeaver Java (Software Update Manager 1.1), under certain conditions when a software upgrade encounters errors, credentials are written in plaintext to a log file. An attacker with local access to the server, authenticated as a non-administrative user, can acquire the credentials from the logs. This leads to a high impact on confidentiality, with no impact on integrity or availability.
Insufficiently Protected Credentials
SAP NetWeaver AS Java Unauthenticated User ID Brute Force Vulnerability
CVE-2024-47592
- November 12, 2024
SAP NetWeaver AS Java allows an unauthenticated attacker to brute force the login functionality in order to identify the legitimate user IDs. This has an impact on confidentiality but not on integrity or availability.
SAP NetWeaver ABAP Server File Disclosure Vulnerability
CVE-2024-47593
- November 12, 2024
SAP NetWeaver Application Server ABAP allows an unauthenticated attacker with network access to read files from the server, which otherwise would be restricted.This attack is possible only if a Web Dispatcher or some sort of Proxy Server is in use and the file in question was previously opened or downloaded in an application based on SAP GUI for HTML Technology. This will not compromise the application's integrity or availability.
SAP NetWeaver AS ABAP Privilege Escalation Vulnerability
CVE-2024-47595
7.1 - High
- November 12, 2024
An attacker who gains local membership to sapsys group could replace local files usually protected by privileged access. On successful exploitation the attacker could cause high impact on confidentiality and integrity of the application.
Incorrect Privilege Assignment
SAP BusinessObjects Business Intelligence Platform
CVE-2024-37179
6.5 - Medium
- October 08, 2024
SAP BusinessObjects Business Intelligence Platform allows an authenticated user to send a specially crafted request to the Web Intelligence Reporting Server to download any file from the machine hosting the service, causing high impact on confidentiality of the application.
Unrestricted File Upload
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability
CVE-2024-45277
4.3 - Medium
- October 08, 2024
The SAP HANA Node.js client package versions from 2.0.0 before 2.21.31 is impacted by Prototype Pollution vulnerability allowing an attacker to add arbitrary properties to global object prototypes. This is due to improper user input sanitation when using the nestTables feature causing low impact on the availability of the application. This has no impact on Confidentiality and Integrity.
Prototype Pollution
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability
CVE-2024-45278
5.4 - Medium
- October 08, 2024
SAP Commerce Backoffice does not sufficiently encode user controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
XSS
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method
CVE-2024-45282
5.3 - Medium
- October 08, 2024
Fields which are in 'read only' state in Bank Statement Draft in Manage Bank Statements application, could be modified by MERGE method. The property of an OData entity representing assumably immutable method is not protected against external modifications leading to integrity violations. Confidentiality and Availability are not impacted.
Trusting HTTP Permission Methods on the Server Side
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs
CVE-2024-47594
5.4 - Medium
- October 08, 2024
SAP NetWeaver Enterprise Portal (KMC) does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability in KMC servlet. An attacker could craft a script and trick the user into clicking it. When a victim who is registered on the portal clicks on such link, confidentiality and integrity of their web browser session could be compromised.
XSS
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform
CVE-2024-41728
2.7 - Low
- September 10, 2024
Due to missing authorization check, SAP NetWeaver Application Server for ABAP and ABAP Platform allows an attacker logged in as a developer to read objects contained in a package. This causes an impact on confidentiality, as this attacker would otherwise not have access to view these objects.
AuthZ
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will
CVE-2024-44112
4.3 - Medium
- September 10, 2024
Due to missing authorization check in SAP for Oil & Gas (Transportation and Distribution), an attacker authenticated as a non-administrative user could call a remote-enabled function which will allow them to delete non-sensitive entries in a user data table. There is no effect on confidentiality or availability.
AuthZ
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program
CVE-2024-44114
2.7 - Low
- September 10, 2024
SAP NetWeaver Application Server for ABAP and ABAP Platform allow users with high privileges to execute a program that reveals data over the network. This results in a minimal impact on confidentiality of the application.
AuthZ
SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.
CVE-2024-39591
5.3 - Medium
- August 13, 2024
SAP Document Builder does not perform necessary authorization checks for one of the function modules resulting in escalation of privileges causing low impact on confidentiality of the application.
AuthZ
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction
CVE-2024-41734
4.3 - Medium
- August 13, 2024
Due to missing authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform, an authenticated attacker could call an underlying transaction, which leads to disclosure of user related information. There is no impact on integrity or availability.
AuthZ
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users
CVE-2024-42373
5.4 - Medium
- August 13, 2024
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to delete non-sensitive report variants that are typically restricted, causing minimal impact on the integrity of the application.
AuthZ
SAP BusinessObjects Business Intelligence
Platform allows an authenticated attacker to upload malicious code over the
network
CVE-2024-28166
4.3 - Medium
- August 13, 2024
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
Unrestricted File Upload
Some OCC API endpoints in SAP Commerce Cloud
CVE-2024-33003
9.1 - Critical
- August 13, 2024
Some OCC API endpoints in SAP Commerce Cloud allows Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. On successful exploitation, this could lead to a High impact on confidentiality and integrity of the application.
Information Disclosure
BEx Web Java Runtime Export Web Service does not
sufficiently validate an XML document accepted from an untrusted source
CVE-2024-42374
8.2 - High
- August 13, 2024
BEx Web Java Runtime Export Web Service does not sufficiently validate an XML document accepted from an untrusted source. An attacker can retrieve information from the SAP ADS system and exhaust the number of XMLForm service which makes the SAP ADS rendering (PDF creation) unavailable. This affects the confidentiality and availability of the application.
aka Blind XPath Injection
Due to the missing authorization checks in the
local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application
Server (ABAP and Java), and SAP Content Server
CVE-2024-33005
6.3 - Medium
- August 13, 2024
Due to the missing authorization checks in the local systems, the admin users of SAP Web Dispatcher, SAP NetWeaver Application Server (ABAP and Java), and SAP Content Server can impersonate other users and may perform some unintended actions. This could lead to a low impact on confidentiality and a high impact on the integrity and availability of the applications.
AuthZ
In SAP BusinessObjects Business Intelligence
Platform, if Single Signed On is enabled on Enterprise authentication, an
unauthorized user
CVE-2024-41730
9.8 - Critical
- August 13, 2024
In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in High impact on confidentiality, integrity and availability.
AuthZ
In SAP Commerce, valid user accounts can be
identified during the customer registration and login processes
CVE-2024-41733
5.3 - Medium
- August 13, 2024
In SAP Commerce, valid user accounts can be identified during the customer registration and login processes. This allows a potential attacker to learn if a given e-mail is used for an account, but does not grant access to any customer data beyond this knowledge. The attacker must already know the e-mail that they wish to test for. The impact on confidentiality therefore is low and no impact to integrity or availability
Information Disclosure
SAP Commerce Backoffice does not sufficiently
encode user-controlled inputs
CVE-2024-41735
5.4 - Medium
- August 13, 2024
SAP Commerce Backoffice does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability causing low impact on confidentiality and integrity of the application.
XSS
Under certain conditions SAP Permit to Work
CVE-2024-41736
4.3 - Medium
- August 13, 2024
Under certain conditions SAP Permit to Work allows an authenticated attacker to access information which would otherwise be restricted causing low impact on the confidentiality of the application.
Information Disclosure
SAP CRM ABAP (Insights
Management)
CVE-2024-41737
5 - Medium
- August 13, 2024
SAP CRM ABAP (Insights Management) allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.
SSRF
SAP BusinessObjects Business Intelligence
Platform allows an authenticated attacker to upload malicious code over the
network
CVE-2024-42375
4.3 - Medium
- August 13, 2024
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
Unrestricted File Upload
SAP Shared Service Framework does not perform necessary
authorization check for an authenticated user
CVE-2024-42376
6.5 - Medium
- August 13, 2024
SAP Shared Service Framework does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. On successful exploitation, an attacker can cause a high impact on confidentiality of the application.
AuthZ
SAP shared service framework
CVE-2024-42377
4.3 - Medium
- August 13, 2024
SAP shared service framework allows an authenticated non-administrative user to call a remote-enabled function, which will allow them to insert value entries into a non-sensitive table, causing low impact on integrity of the application
AuthZ
SAP BusinessObjects Business Intelligence
Platform allows an authenticated attacker to upload malicious code over the
network
CVE-2024-41731
4.3 - Medium
- August 13, 2024
SAP BusinessObjects Business Intelligence Platform allows an authenticated attacker to upload malicious code over the network, that could be executed by the application. On successful exploitation, the attacker can cause a low impact on the Integrity of the application.
Unrestricted File Upload
SAP NetWeaver Application Server ABAP allows
an unauthenticated attacker to craft a URL link that could bypass allowlist
controls
CVE-2024-41732
5.4 - Medium
- August 13, 2024
SAP NetWeaver Application Server ABAP allows an unauthenticated attacker to craft a URL link that could bypass allowlist controls. Depending on the web applications provided by this server, the attacker might inject CSS code or links into the web application that could allow the attacker to read or modify information. There is no impact on availability of application.
WebFlow Services of SAP Business Workflow
CVE-2024-34689
5 - Medium
- July 09, 2024
WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.
SSRF
Due to missing verification of file type or
content, SAP Enable Now allows an authenticated attacker to upload arbitrary
files
CVE-2024-34692
4.6 - Medium
- July 09, 2024
Due to missing verification of file type or content, SAP Enable Now allows an authenticated attacker to upload arbitrary files. These files include executables which might be downloaded and executed by the user which could host malware. On successful exploitation an attacker can cause limited impact on confidentiality and Integrity of the application.
Unrestricted File Upload
SAP Transportation Management (Collaboration
Portal)
CVE-2024-37171
5 - Medium
- July 09, 2024
SAP Transportation Management (Collaboration Portal) allows an attacker with non-administrative privileges to send a crafted request from a vulnerable web application. This will trigger the application handler to send a request to an unintended service, which may reveal information about that service. The information obtained could be used to target internal systems behind firewalls that are normally inaccessible to an attacker from the external network, resulting in a Server-Side Request Forgery vulnerability. There is no effect on integrity or availability of the application.
SSRF
SAP S/4HANA Finance (Advanced Payment
Management) does not perform necessary authorization check for an authenticated
user
CVE-2024-37172
5.4 - Medium
- July 09, 2024
SAP S/4HANA Finance (Advanced Payment Management) does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. As a result, it has a low impact to confidentiality and availability but there is no impact on the integrity.
AuthZ
SAP CRM WebClient does not
perform necessary authorization check for an authenticated user, resulting in
escalation of privileges
CVE-2024-37175
6.5 - Medium
- July 09, 2024
SAP CRM WebClient does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to access some sensitive information.
AuthZ
Due to weak encoding of user-controlled input in
SAP NetWeaver Knowledge Management XMLEditor which
CVE-2024-34685
6.1 - Medium
- July 09, 2024
Due to weak encoding of user-controlled input in SAP NetWeaver Knowledge Management XMLEditor which allows malicious scripts can be executed in the application, potentially leading to a Cross-Site Scripting (XSS) vulnerability. This has no impact on the availability of the application but it has a low impact on its confidentiality and integrity.
XSS
Due to insufficient input validation, SAP
CRM WebClient UI
CVE-2024-37173
6.1 - Medium
- July 09, 2024
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
XSS
Custom CSS support option in SAP CRM WebClient
UI does not sufficiently encode user-controlled inputs resulting in Cross-Site
Scripting vulnerability
CVE-2024-37174
6.1 - Medium
- July 09, 2024
Custom CSS support option in SAP CRM WebClient UI does not sufficiently encode user-controlled inputs resulting in Cross-Site Scripting vulnerability. On successful exploitation an attacker can cause limited impact on confidentiality and integrity of the application.
XSS
Elements of PDCE does not perform necessary
authorization checks for an authenticated user, resulting in escalation of
privileges
CVE-2024-39592
6.5 - Medium
- July 09, 2024
Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application.
AuthZ
SAP Landscape Management allows an authenticated
user to read confidential data disclosed by the REST Provider Definition
response
CVE-2024-39593
5.7 - Medium
- July 09, 2024
SAP Landscape Management allows an authenticated user to read confidential data disclosed by the REST Provider Definition response. Successful exploitation can cause high impact on confidentiality of the managed entities.
Information Disclosure
SAP CRM (WebClient UI Framework)
CVE-2024-39598
7.7 - High
- July 09, 2024
SAP CRM (WebClient UI Framework) allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests. On successful exploitation this can result in information disclosure. It has no impact on integrity and availability of the application.
SSRF
Manage Incoming Payment Files (F1680) of SAP
S/4HANA does not perform necessary authorization checks for an authenticated
user
CVE-2024-34691
6.5 - Medium
- June 11, 2024
Manage Incoming Payment Files (F1680) of SAP S/4HANA does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. As a result, it has high impact on integrity and no impact on the confidentiality and availability of the system.
AuthZ
Due to insufficient input validation, SAP CRM
WebClient UI
CVE-2024-34686
6.1 - Medium
- June 11, 2024
Due to insufficient input validation, SAP CRM WebClient UI allows an unauthenticated attacker to craft a URL link which embeds a malicious script. When a victim clicks on this link, the script will be executed in the victim's browser giving the attacker the ability to access and/or modify information with no effect on availability of the application.
XSS
SAP NetWeaver and ABAP platform allows an
attacker to impede performance for legitimate users by crashing or flooding the
service
CVE-2024-33001
6.5 - Medium
- June 11, 2024
SAP NetWeaver and ABAP platform allows an attacker to impede performance for legitimate users by crashing or flooding the service. An impact of this Denial of Service vulnerability might be long response delays and service interruptions, thus degrading the service quality experienced by legitimate users causing high impact on availability of the application.
An authenticated attacker can upload malicious
file to SAP Document Builder service
CVE-2024-34683
6.5 - Medium
- June 11, 2024
An authenticated attacker can upload malicious file to SAP Document Builder service. When the victim accesses this file, the attacker is allowed to access, modify, or make the related information unavailable in the victims browser.
Unrestricted File Upload
On Unix, SAP BusinessObjects Business
Intelligence Platform (Scheduling)
CVE-2024-34684
6 - Medium
- June 11, 2024
On Unix, SAP BusinessObjects Business Intelligence Platform (Scheduling) allows an authenticated attacker with administrator access on the local server to access the password of a local account. As a result, an attacker can obtain non-administrative user credentials, which will allow them to read or modify the remote server files.
Information Disclosure
Due to unrestricted access to the Meta Model
Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks
on the application, which may prevent legitimate users
CVE-2024-34688
7.5 - High
- June 11, 2024
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it. This can result in no impact on confidentiality and integrity but a high impact on the availability of the application.
Resource Exhaustion
SAP Student Life Cycle
Management (SLcM) fails to conduct proper authorization checks for
authenticated users
CVE-2024-34690
5.4 - Medium
- June 11, 2024
SAP Student Life Cycle Management (SLcM) fails to conduct proper authorization checks for authenticated users, leading to the potential escalation of privileges. On successful exploitation it could allow an attacker to access and edit non-sensitive report variants that are typically restricted, causing minimal impact on the confidentiality and integrity of the application.
AuthZ
SAP BW/4HANA Transformation and Data Transfer
Process (DTP)
CVE-2024-37176
5.4 - Medium
- June 11, 2024
SAP BW/4HANA Transformation and Data Transfer Process (DTP) allows an authenticated attacker to gain higher access levels than they should have by exploiting improper authorization checks. This results in escalation of privileges. It has no impact on the confidentiality of data but may have low impacts on the integrity and availability of the application.
AuthZ
SAP NetWeaver AS Java (CAF - Guided Procedures)
CVE-2024-28164
5.3 - Medium
- June 11, 2024
SAP NetWeaver AS Java (CAF - Guided Procedures) allows an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted causing low impact on confidentiality of the application.
Information Disclosure
SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack
CVE-2024-22129
7.6 - High
- February 13, 2024
SAP Companion - version <3.1.38, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information and cause minor impact on the integrity of the web application.
XSS
SAP Master Data Governance for Material Data - versions 618
CVE-2024-24741
4.3 - Medium
- February 13, 2024
SAP Master Data Governance for Material Data - versions 618, 619, 620, 621, 622, 800, 801, 802, 803, 804, does not perform necessary authorization check for an authenticated user, resulting in escalation of privileges. This could allow an attacker to read some sensitive information but no impact to integrity and availability.
AuthZ
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user
CVE-2024-25643
4.3 - Medium
- February 13, 2024
The SAP Fiori app (My Overtime Request) - version 605, does not perform the necessary authorization checks for an authenticated user which may result in an escalation of privileges. It is possible to manipulate the URLs of data requests to access information that the user should not have access to. There is no impact on integrity and availability.
AuthZ
Print preview option in SAP CRM WebClient UI - versions S4FND 102
CVE-2024-22130
5.4 - Medium
- February 13, 2024
Print preview option in SAP CRM WebClient UI - versions S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, WEBCUIF 700, WEBCUIF 701, WEBCUIF 730, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting vulnerability. An attacker with low privileges can cause limited impact to confidentiality and integrity of the appliaction data after successful exploitation.
XSS
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization
CVE-2024-22131
7.2 - High
- February 13, 2024
In SAP ABA (Application Basis) - versions 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75I, an attacker authenticated as a user with a remote execution authorization can use a vulnerable interface. This allows the attacker to use the interface to invoke an application function to perform actions which they would not normally be permitted to perform. Depending on the function executed, the attack can read or modify any user/business data and can make the entire system unavailable.
Code Injection
SAP IDES ECC-systems contain code
CVE-2024-22132
6.3 - Medium
- February 13, 2024
SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of user's choice.An attacker can therefore control the behaviour of the system by executing malicious code which can potentially escalate privileges with low impact on confidentiality, integrity and availability of the system.
Shell injection
SAP Bank Account Management (BAM)
CVE-2024-24739
6.3 - Medium
- February 13, 2024
SAP Bank Account Management (BAM) allows an authenticated user with restricted access to use functions which can result in escalation of privileges with low impact on confidentiality, integrity and availability of the application.
AuthZ
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions,
CVE-2024-24740
5.3 - Medium
- February 13, 2024
SAP NetWeaver Application Server (ABAP) - versions KERNEL 7.53, KERNEL 7.54, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.93, KERNEL 7.94, KRNL64UC 7.53, under certain conditions, allows an attacker to access information which could otherwise be restricted with low impact on confidentiality of the application.
Incorrect Permission Assignment for Critical Resource
SAP CRM WebClient UI - version S4FND 102
CVE-2024-24742
4.1 - Medium
- February 13, 2024
SAP CRM WebClient UI - version S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, WEBCUIF 701, WEBCUIF 731, WEBCUIF 746, WEBCUIF 747, WEBCUIF 748, WEBCUIF 800, WEBCUIF 801, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to integrity of the application data after successful exploitation. There is no impact on confidentiality and availability.
XSS
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50
CVE-2024-24743
7.5 - High
- February 13, 2024
SAP NetWeaver AS Java (CAF - Guided Procedures) - version 7.50, allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network, which when parsed will enable him to access sensitive files and data but not modify them. There are expansion limits in place so that availability is not affected.
XXE
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker
CVE-2024-25642
7.4 - High
- February 13, 2024
Due to improper validation of certificate in SAP Cloud Connector - version 2.0, attacker can impersonate the genuine servers to interact with SCC breaking the mutual authentication. Hence, the attacker can intercept the request to view/modify sensitive information. There is no impact on the availability of the system.
Improper Certificate Validation
SAP NWBC for HTML - versions SAP_UI 754
CVE-2024-22128
6.1 - Medium
- February 13, 2024
SAP NWBC for HTML - versions SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An unauthenticated attacker can inject malicious javascript to cause limited impact to confidentiality and integrity of the application data after successful exploitation.
The User Admin application of SAP NetWeaver AS for Java - version 7.50
CVE-2024-22126
8.8 - High
- February 13, 2024
The User Admin application of SAP NetWeaver AS for Java - version 7.50, insufficiently validates and improperly encodes the incoming URL parameters before including them into the redirect URL. This results in Cross-Site Scripting (XSS) vulnerability, leading to a high impact on confidentiality and mild impact on integrity and availability.
XSS
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could
CVE-2024-22124
7.5 - High
- January 09, 2024
Under certain conditions, Internet Communication Manager (ICM) or SAP Web Dispatcher - versions KERNEL 7.22, KERNEL 7.53, KERNEL 7.54, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KRNL64NUC 7.22, KRNL64NUC 7.22_EXT, WEBDISP 7.22_EXT, WEBDISP 7.53, WEBDISP 7.54, could allow an attacker to access information which would otherwise be restricted causing high impact on confidentiality.
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks
CVE-2024-21736
6.5 - Medium
- January 09, 2024
SAP S/4HANA Finance for (Advanced Payment Management) - versions SAPSCORE 128, S4CORE 107, does not perform necessary authorization checks. A function import could be triggered allowing the attacker to create in-house bank accounts leading to low impact on the confidentiality of the application.
AuthZ
In SAP Application Interface Framework File Adapter - version 702, a high privilege user
CVE-2024-21737
9.1 - Critical
- January 09, 2024
In SAP Application Interface Framework File Adapter - version 702, a high privilege user can use a function module to traverse through various layers and execute OS commands directly. By this, such user can control the behaviour of the application. This leads to considerable impact on confidentiality, integrity and availability.
Code Injection
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0
CVE-2024-22125
7.5 - High
- January 09, 2024
Under certain conditions the Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) - version 1.0, allows an attacker to access highly sensitive information which would otherwise be restricted causing high impact on confidentiality.
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs
CVE-2024-21738
5.4 - Medium
- January 09, 2024
SAP NetWeaver ABAP Application Server and ABAP Platform do not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. An attacker with low privileges can cause limited impact to confidentiality of the application data after successful exploitation.
XSS
SAP LT Replication Server - version S4CORE 103
CVE-2024-21735
7.2 - High
- January 09, 2024
SAP LT Replication Server - version S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, does not perform necessary authorization checks. This could allow an attacker with high privileges to perform unintended actions, resulting in escalation of privileges, which has High impact on confidentiality, integrity and availability of the system.
AuthZ
SAP Marketing (Contacts App) - version 160
CVE-2024-21734
5.4 - Medium
- January 09, 2024
SAP Marketing (Contacts App) - version 160, allows an attacker with low privileges to trick a user to open malicious page which could lead to a very convincing phishing attack with low impact on confidentiality and integrity of the application.
Open Redirect
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0
CVE-2023-50424
9.8 - Critical
- December 12, 2023
SAP BTP Security Services Integration Library ([Golang] github.com/sap/cloud-security-client-go) - versions < 0.17.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Exposed Dangerous Method or Function
SAP Solution Manager - version 720
CVE-2023-49587
6.4 - Medium
- December 12, 2023
SAP Solution Manager - version 720, allows an authorized attacker to execute certain deprecated function modules which can read or modify data of same or other component without user interaction over the network.
Command Injection
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0
CVE-2023-50423
9.8 - Critical
- December 12, 2023
SAP BTP Security Services Integration Library ([Python] sap-xssec) - versions < 4.1.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Exposed Dangerous Method or Function
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0
CVE-2023-50422
9.8 - Critical
- December 12, 2023
SAP BTP Security Services Integration Library ([Java] cloud-security-services-integration-library) - versions below 2.17.0 and versions from 3.0.0 to before 3.3.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Exposed Dangerous Method or Function
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0
CVE-2023-49583
9.8 - Critical
- December 12, 2023
SAP BTP Security Services Integration Library ([Node.js] @sap/xssec - versions < 3.6.0, allow under certain conditions an escalation of privileges. On successful exploitation, an unauthenticated attacker can obtain arbitrary permissions within the application.
Exposed Dangerous Method or Function
SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793
CVE-2023-49584
4.3 - Medium
- December 12, 2023
SAP Fiori launchpad - versions SAP_UI 750, SAP_UI 754, SAP_UI 755, SAP_UI 756, SAP_UI 757, SAP_UI 758, UI_700 200, SAP_BASIS 793, allows an attacker to use HTTP verb POST on read-only service causing low impact on Confidentiality of the application.
HTTP Request Smuggling
Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly
CVE-2023-6542
7.1 - High
- December 12, 2023
Due to lack of proper authorization checks in Emarsys SDK for Android, an attacker can call a particular activity and can forward himself web pages and/or deep links without any validation directly from the host application. On successful attack, an attacker could navigate to arbitrary URL including application deep links on the device.
AuthZ
SAP GUI for Windows and SAP GUI for Java
CVE-2023-49581
9.4 - Critical
- December 12, 2023
SAP GUI for Windows and SAP GUI for Java allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to write data to a database table. By doing so the attacker could increase response times of the AS ABAP, leading to mild impact on availability.
SQL Injection
SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
CVE-2023-49580
7.3 - High
- December 12, 2023
SAP GUI for Windows and SAP GUI for Java - versions SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, allow an unauthenticated attacker to access information which would otherwise be restricted and confidential. In addition, this vulnerability allows the unauthenticated attacker to create Layout configurations of the ABAP List Viewer and with this causing a mild impact on integrity and availability, e.g. also increasing the response times of the AS ABAP.
The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100
CVE-2023-49577
6.1 - Medium
- December 12, 2023
The SAP HCM (SMART PAYE solution) - versions S4HCMCIE 100, SAP_HRCIE 600, SAP_HRCIE 604, SAP_HRCIE 608, does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability. After successful exploitation, an attacker can cause limited impact on confidentiality and integrity of the application.
XSS
SAP Cloud Connector - version 2.0
CVE-2023-49578
3.5 - Low
- December 12, 2023
SAP Cloud Connector - version 2.0, allows an authenticated user with low privilege to perform Denial of service attack from adjacent UI by sending a malicious request which leads to low impact on the availability and no impact on confidentiality or Integrity of the application.
Incorrect Permission Assignment for Critical Resource
An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame
CVE-2023-42479
6.1 - Medium
- December 12, 2023
An unauthenticated attacker can embed a hidden access to a Biller Direct URL in a frame which, when loaded by the user, will submit a cross-site scripting request to the Biller Direct system. This can result in the disclosure or modification of non-sensitive information.
XSS
In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user
CVE-2023-42481
8.1 - High
- December 12, 2023
In SAP Commerce Cloud - versions HY_COM 1905, HY_COM 2005, HY_COM2105, HY_COM 2011, HY_COM 2205, COM_CLOUD 2211, a locked B2B user can misuse the forgotten password functionality to un-block his user account again and re-gain access if SAP Commerce Cloud - Composable Storefront is used as storefront, due to weak access controls in place. This leads to a considerable impact on confidentiality and integrity.
Weak Password Recovery Mechanism for Forgotten Password
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS
CVE-2023-42478
7.6 - High
- December 12, 2023
SAP Business Objects Business Intelligence Platform is vulnerable to stored XSS allowing an attacker to upload agnostic documents in the system which when opened by any other user could lead to high impact on integrity of the application.
XSS
SAP Master Data Governance File Upload application
CVE-2023-49058
5.3 - Medium
- December 12, 2023
SAP Master Data Governance File Upload application allows an attacker to exploit insufficient validation of path information provided by users, thus characters representing traverse to parent directory are passed through to the file APIs. As a result, it has a low impact to the confidentiality.
Directory traversal
SAP Business Objects Web Intelligence - version 420
CVE-2023-42476
6.8 - Medium
- December 12, 2023
SAP Business Objects Web Intelligence - version 420, allows an authenticated attacker to inject JavaScript code into Web Intelligence documents which is then executed in the victims browser each time the vulnerable page is visited. Successful exploitation can lead to exposure of the data that the user has access to. In the worst case, attacker could access data from reporting databases.
XSS
SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder
CVE-2023-31403
8 - High
- November 14, 2023
SAP Business One installation - version 10.0, does not perform proper authentication and authorization checks for SMB shared folder. As a result, any malicious user can read and write to the SMB shared folder. Additionally, the files in the folder can be executed or be used by the installation process leading to considerable impact on confidentiality, integrity and availability.
AuthZ
Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT
CVE-2023-41366
5.3 - Medium
- November 14, 2023
Under certain condition SAP NetWeaver Application Server ABAP - versions KERNEL 722, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.91, KERNEL 7.92, KERNEL 7.93, KERNEL 7.94, KERNEL64UC 7.22, KERNEL64UC 7.22EXT, KERNEL64UC 7.53, KERNEL64NUC 7.22, KERNEL64NUC 7.22EXT, allows an unauthenticated attacker to access the unintended data due to the lack of restrictions applied which may lead to low impact in confidentiality and no impact on the integrity and availability of the application.
The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50
CVE-2023-42480
5.3 - Medium
- November 14, 2023
The unauthenticated attacker in NetWeaver AS Java Logon application - version 7.50, can brute force the login functionality to identify the legitimate user ids. This will have an impact on confidentiality but there is no other impact on integrity or availability.
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented
CVE-2023-36920
6.1 - Medium
- October 30, 2023
In SAP Enable Now - versions WPB_MANAGER 1.0, WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704, the X-FRAME-OPTIONS response header is not implemented, allowing an unauthenticated attacker to attempt clickjacking, which could result in disclosure or modification of information.
Clickjacking
SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack
CVE-2023-42474
5.4 - Medium
- October 10, 2023
SAP BusinessObjects Web Intelligence - version 420, has a URL with parameter that could be vulnerable to XSS attack. The attacker could send a malicious link to a user that would possibly allow an attacker to retrieve the sensitive information.
XSS
S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges
CVE-2023-42473
5.4 - Medium
- October 10, 2023
S/4HANA Manage (Withholding Tax Items) - version 106, does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges which has low impact on the confidentiality and integrity of the application.
AuthZ
SAP Business One (B1i) - version 10.0
CVE-2023-41365
4.3 - Medium
- October 10, 2023
SAP Business One (B1i) - version 10.0, allows an authorized attacker to retrieve the details stack trace of the fault message to conduct the XXE injection, which will lead to information disclosure. After successful exploitation, an attacker can cause limited impact on the confidentiality and no impact to the integrity and availability.
XXE
The Statutory Reporting application has a vulnerable file storage location
CVE-2023-42475
4.3 - Medium
- October 10, 2023
The Statutory Reporting application has a vulnerable file storage location, potentially enabling low privileged attacker to read server files with minimal impact on confidentiality.
Generation of Error Message Containing Sensitive Information